RMN Visualizer
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to be a real memory visualizer, but its recommended launch can expose snippets of local agent memory through a public Cloudflare link without clear access controls.
Install only if you are comfortable visualizing local agent memory. Prefer `node scripts/serve.js` and open localhost instead of using the public Cloudflare tunnel; if you do use the tunnel, review the scanned files first, do not share the link broadly, and stop the process when finished.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private memory, task, identity, or project notes could be displayed in the visualizer.
The visualizer includes up to 200 characters of local memory content plus source paths in graph nodes, so it is not just showing aggregate metadata.
const node = { id, text: text.slice(0, 200), source, layer, weight, tags: extractTags(text) };Use a narrowly scoped RMN_WORKSPACE, review memory files first, and add redaction or an explicit preview/approval step before serving the visualization.
Anyone who receives or guesses the public tunnel URL during the session may be able to view the memory visualization.
The launcher exposes the local visualization server through a Cloudflare Tunnel, creating a public URL for data derived from local memory files.
const tunnel = spawn('cloudflared', ['tunnel', '--url', `http://localhost:${PORT}`], {Prefer the local-only mode by default, require explicit user consent before opening a tunnel, and protect the public view with an access token or other authentication.
The security of the tunnel depends on the cloudflared binary already present on the user's machine.
The quick-launch workflow depends on an external cloudflared binary that is not installed or pinned by the skill package.
- `cloudflared`([安装指南](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/downloads/))
Install cloudflared only from the official source, keep it updated, and consider declaring it explicitly as a required binary.